Senate Bill Proposes Cyber Training for Federal EmployeesLegislation Would Mandate Supply Chain Security Training Program
A bipartisan bill introduced in the Senate would create a standardized cybersecurity training program for federal employees who purchase technology services.
The lawmakers backing the proposed legislation say it will help the U.S. government protect against security threats and other supply chain vulnerabilities.
The bill, called the Supply Chain Security Training Act, was introduced by Sen. Gary Peters, D-Mich., who is chairman of the Senate Homeland Security and Governmental Affairs Committee, and Ron Johnson, R-Wis., who serves on the committee. It would direct the U.S. General Services Administration - in coordination with the Department of Homeland Security, the Department of Defense and the Office of Management and Budget - to create a supply chain security training program for federal officials who have procurement responsibilities. The bill would also require the Office of Management and Budget to develop guidance for federal agencies to adopt and use the program.
'Back Door' Into Government Systems
Peters stresses the national security importance of this measure, cautioning against threat actors having open access into U.S. systems.
"Recent attacks against American networks show that our foreign adversaries and criminal organizations will stop at nothing to breach federal networks, steal information and compromise our national security," Peters says. "Federal employees need to know how to recognize possible threats when they are purchasing software and equipment that could allow bad actors a back door into government information systems."
Peters says the bill would help strengthen the government's security posture by mitigating threats posed by the very technology that it relies on daily.
Recent Wave of Attacks
The proposed legislation was introduced following a string of recent attacks, including the pervasive SolarWinds supply chain attack detected in December 2020. That campaign, reportedly carried out by Russian hackers, led to follow-on attacks on nine U.S. agencies, including the Treasury Department and the Department of Commerce, as well as 100 companies, including Microsoft, SolarWinds and VMWare (see: 7 Takeaways: Supply Chain Attack Hits SolarWinds Customers).
In May, Colonial Pipeline Co., whose pipeline spans the East Coast, fell victim to a ransomware hit that led the company to temporarily shut down operations. Colonial Pipeline then paid a $4.4 million ransom to the criminal group DarkSide, which reportedly operates out of Eastern Europe, to receive a decryptor. The FBI later recovered $2.3 million of the ransom (see: Colonial Pipeline Confirms Ransomware Causing Disruptions).
Also in May, meat processing giant JBS suffered a ransomware attack that disrupted operations in the U.S., Canada and Australia. The FBI attributed the attack to REvil, aka Sodinokibi, which is a ransomware-as-a-service operation believed to be at least partially based in Russia. JBS later stated it paid $11 million worth of cryptocurrency to the criminal gang (see: Ransomware to Riches Story: JBS Pays Criminals $11 Million).
And in recent days, details have emerged about the REvil supply chain ransomware attack on software vendor Kaseya that may have affected up to 1,500 organizations worldwide.
Commenting on the proposed bill, Johnson says: "Counterintelligence training for federal workers who buy and sell goods and services for the government is critical at a time when our adversaries are probing cyber vulnerabilities to breach our systems and steal information. This type of training will help close a potential gap in our cyber and physical security defenses."
Peters and Johnson introduced similar legislation in 2019. That bill, which was approved by the Senate but did not receive a House vote, was designed to prepare federal personnel to identify and mitigate counterintelligence threats that arise during software acquisition.
Building on Executive Order
The new proposal looks to build on the cybersecurity executive order from President Joe Biden published on May 12, which requires government departments to create baseline security standards for software - including application visibility and access to security data. The directive also requires that vendors incorporate security during development. Plus, a new label, similar to the Energy Star label, will be created for the government and private industry to determine whether software has been developed securely (see: Biden Signs Sweeping Executive Order on Cybersecurity).
In additional documentation on the executive order, the White House notes, "Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit." Using the purchasing power of the federal government, the administration hopes to "build security into all software from the ground up."